California’s new privacy law should apply to government, too

The DMV reportedly is bringing in more than $50 million annually for names, physical addresses and car registration information.

Photo: Richard Vogel / Associated Press

The clock is ticking on the reality of the California Consumer Privacy Act (CCPA), which takes effect on Jan. 1. As a practical matter, it still will await enforcement rules to be drafted by Attorney General Xavier Becerra’s office to meet a statutory July 1, 2020 deadline. Two of the CCPA’s important principles are minimization (narrowly tailoring data to its authorized use) and sharing limits (clear rules to limit data sharing with service providers and third parties to that which is needed to carry out the express purposes expected and authorized by consumers).

It will be interesting to see how these principles are applied to California state and municipal agencies. Although many perceive the CCPA as a potent weapon to be used against private sector firms, this should not obscure that bad behavior also is possible by government itself. This may be even more egregious since consumers will have a difficult time opting out of obtaining government permissions or benefits that only can be provided by government.

The California Department of Motor Vehicles collects massive amounts of personal data to process driver’s licenses and registrations. The information it gathers also is especially useful outside DMV to law enforcement authorities who enforce traffic and vehicular violations, as well as in broader aspects of crime prevention. These valid and varied purposes justify why so much data is gathered, stored and shared internally and with other state and local agencies. Presumably, the DMV also has developed its own plan for data minimization and sharing limits.

But to date, this plan is opaque to the public, with the same pattern extending across hundreds of state government agencies and thousands of local ones. Alas, the CCPA’s broad coverage in these areas applies to businesses but not to any level of government. And regardless of the public visibility of government agency minimization and data sharing limit plans, government agencies will not be restricted under the CCPA in making third-party access to sensitive personal information available on a commercial basis.

The DMV, for example, is doing just that to bring additional revenue into its coffers — over $50 million annually for names, physical addresses and car registration information, according to Motherboard Tech by Vice. It has been doing so for at least six years, too, with eager buyers such as data broker LexisNexis and consumer credit reporting agency Experian, along with garden-variety private investigators developing leads for domestic dispute files. Consequently, state agencies will not be legally obligated to disclose this practice, nor will they be prohibited from selling this information to outsiders with very different needs for the data, or even without any public purpose.

The CCPA specifies that private companies operating websites must include a “Do Not Sell My Personal Information” option on their home pages. Voluntary government compliance with this requirement is possible, but highly unlikely. Alternatively, the law could be extended to cover the DMV with this requirement, with a comparable mandate for those applying or renewing at a local office. It could cover all state and local government agencies, too, for both online and in-person transactions. The next iteration of the CCPA already has begun, so this seems to be an appropriate legislative route.

Related Stories

Since the CCPA amendment process is complex and not a sure bet, however, the simpler and more timely solution would be an executive order issued by Gov. Gavin Newsom that either prohibits unrelated third-party sale of personal information by government agencies, or allows it provided that consumers are notified and can opt out easily through a one-click process online or a check mark on a paper form.

Data privacy principles are nice to hear about, but only meaningful if they apply to businesses and government alike, since sensitive personal information is the same regardless who is collecting, storing and disseminating it.

Stuart N. Brotman is a fellow at the Woodrow Wilson International Center for Scholars in Washington, D.C. He is based in its Science and Technology Innovation Program, focusing on digital privacy policy issues.